Solaris 10 Cert

NFS Mounts
The soft option attempts to mount a file system once, then gives up with an erro
r message if it fails
The intr option allows applications to be interrupted while waiting for a remote
mount
The bg option tells mount to retry a failed mount attempt in the background, all
owing the foreground mount process to continue.
By default, NFS mounts are not performed in the background, so fg is the default
.
anon=-1
Unauthenticated users have no access to this file system
share -F nfs -o ro,rw=sales,root=admin /export/stuff
- The root user from the client admin is allowed superuser access to the shared
resource,
but this does not override the read-only share option.
autofs
/etc/auto_master: <mountPoint> <mapName> [mountOptions]
|-> /local auto_local -nobrowse (indirect map)
|-> /- -> this map is a direct map or that no particular mount point is spec
ified
/etc/auto_direct: <key> [<mountOptions>] <location>
/share senate:/export/local/share
The -nobrowse option prevents all of the unmounted mount points from being displ
ayed
RAID
RAID 1 performs better than RAID 5 for write-intensive applications
Parity slows down performance, whereas striping improves it
Which two are correct statements about the performance of a RAID 1 (mirror) in c
omparison with a RAID 5 volume?
- Hardware costs are highest with RAID 1 (You need at least twice as much disk s
pace as the amount of data to be mirrored)
- Best performance during failure (If one of the sub mirrors fails the other one
is still active. With RAID 5 any failure will result in no access to that data
while the data is rebuilt from the parity information)
By default, the Solaris Volume Manager Software is configured to support 128 log
ical volumes (upto 8192 logical volumes per disk set)
The system cannot reboot into multiuser mode unless a majority (half + 1) of the
total number of state database replicas is available
Which two are valid mirror read policies in Solaris Volume Manager (SVM)?
First is a valid mirror read policy in SVM
Geometric is a valid mirror read policy in SVM
Parallel is a mirror write policy in SVM
Solaris Volume Manager does not support five-way mirrors.

telnet logs with daemon.notice

Temporarily Disabling User Logins
touch /etc/nologin
authorization:
# grep helper /etc/security/prof_attr
helper:::auths=solaris.jobs.grant;help=JobsGrant.html
# grep helper /etc/user_attr
joe::::type=normal;profiles=helper
-> The user joe can delegate any assigned authorizations with the same prefix to
other users.
It is not recommended practice to allocate rights and authorizations directly to
regular user accounts
Creating a role account with the required rights and authorizations required and
giving all responsible users access to this account will ensure that these user
s are able to perform administration but will not have full super-user privilege
s.
auths show the assigned authorizations of a user -> auths user1
Which two are entities which can be assigned to a Rights Profile?
+A rights profile can be assigned to another rights profile.
+Authorizations can be assigned to rights profiles.
-Rights profiles are assigned to roles, not the other way round.
-Passwords are assigned to roles and users.
-Profile shells are assigned to roles.
The /etc/user_attr file is use to associate roles, authorizations, and users.
The /etc/security/prof_attr file is the profile description database
The /etc/security/exec_attr file is a local database that is used to associate r
ights profiles with commands and security attributes.
The /etc/security/policy.conf can be used to specify default authorizations for
all users
mech@S0000 $ more /etc/user_attr
adm::::profiles=Log Management
postgres::::type=role;profiles=Postgres Administration,All
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_a
fter_retries=no;min_label=admin_low;clearance=admin_high
vdcfexec::::type=normal;profiles=VDCF Remote Execution
webservd::::type=normal;profiles=VDCF Logger,VDCF install Module
mech@S0000 $ more /etc/security/prof_attr
All:::Execute any command as the user or role:help=RtAll.html
Audit Control:::Configure BSM auditing:auths=solaris.audit.config,solaris.jobs.a
dmin,solaris.admin.logsvc.purge,solaris.admin.logsvc.read;he
lp=RtAuditCtrl.html
Audit Review:::Review BSM auditing logs:auths=solaris.audit.read;help=RtAuditRev
iew.html
ZFS File System Management:::Create and Manage ZFS File Systems:help=RtZFSFileSy
sMngmnt.html
ZFS Storage Management:::Create and Manage ZFS Storage Pools:help=RtZFSStorageMn
gmnt.html
Zone Management:::Zones Virtual Application Environment Administration:help=RtZo

neMngmnt.html
VDCF resource Module:::Allows Execution of VDCF resource Modules:
VDCF hwmonitor Module:::Allows Execution of VDCF hwmonitor Modules:
mech@S0000 $ more /etc/security/exec_attr
All Actions:solaris:act:::*;*;*;*;*:
All:solaris:act:::*;*;*;*;*:
All:suser:cmd:::*:
Audit Control:solaris:act:::AuditClass;*;*;*;*:privs=all
Audit Control:solaris:act:::AuditControl;*;*;*;*:privs=all
Audit Control:solaris:act:::AuditEvent;*;*;*;*:privs=all
VDCF virtual Module:solaris:cmd:::/opt/jomasoft/vdcf/mods/virtual/vsrv_show:priv
s=all
VDCF virtual Module:solaris:cmd:::/opt/jomasoft/vdcf/mods/virtual/vsrv_uninstall
:privs=all
Web Console Management:solaris:cmd:::/usr/share/webconsole/private/bin/smcwebsta
rt:uid=noaccess;gid=noaccess;privs=proc_audit
ZFS File System Management:solaris:cmd:::/sbin/zfs:euid=0
Zone Management:solaris:cmd:::/usr/sbin/zoneadm:uid=0
Zone Management:solaris:cmd:::/usr/sbin/zonecfg:uid=0
VDCF hwmonitor Module:solaris:cmd:::/opt/jomasoft/vdcf/mods/hwmonitor/hwmon_show
_usage:privs=all
VDCF install Module:solaris:cmd:::/opt/jomasoft/vdcf/mods/install/cgi/keep_alive
.cgi:privs=all
VDCF install Module:solaris:cmd:::/opt/jomasoft/vdcf/mods/install/cgi/transfer_u
sage_info.cgi:privs=all
mech@S0000 $ more /etc/security/auth_attr
<<<<<<< auth_attr:::::
solaris.:::All Solaris Authorizations::help=AllSolAuthsHeader.html
solaris.admin.dcmgr.:::OS Server Manager::help=AuthDcmgrHeader.html
solaris.admin.dcmgr.admin:::Manage OS Services and Patches::help=AuthDcmgrAdmin.
html
solaris.admin.printer.delete:::Delete Printer Information::help=AuthPrinterDelet
e.html
solaris.admin.printer.modify:::Update Printer Information::help=AuthPrinterModif
y.html
solaris.admin.printer.read:::View Printer Information::help=AuthPrinterRead.html
solaris.admin.privilege.:::Privileges::help=AuthPrivilegeHeader.html
solaris.admin.privilege.write:::Manage Privileges::help=AuthPrivilegeWrite.html
solaris.snmp.write:::Set SNMP Information::help=AuthSnmpWrite.html
solaris.system.:::Machine Administration::help=SysHeader.html
solaris.system.date:::Set Date & Time::help=SysDate.html
solaris.system.shutdown:::Shutdown the System::help=SysShutdown.html
auth_attr. Authorization attributes database. Defines authorizations and their a
ttributes.
exec_attr. Execution attributes database. Identifies the commands with security
attributes that are
assigned to specific rights profiles.
prof_attr. Rights profile attributes database. Defines rights profiles and lists
the assigned authorizations
for the profi les.
user_attr. Extended user attributes database. Associates users with roles and ro
les with authorizations
and rights, typically through profiles. These four databases also contain the
relationships between rights,
rights profi les, roles, and users.

The policy.conf database contains authorizations, privileges, and rights profile

s that are applied to all users.
The Authorization Attributes Database (/etc/security/auth_attr)
<authname>:<res1>:<res2>:<short_desc>:<long_desc>:<attr>
solaris.printmgr.:::Printer Manager::help=PrinterManager.html
The Execution Attributes Database (/etc/security/exec_attr)
<profileName>:<policy>:<type>:<res1>:<res2>:<id>:<attr>
File System Management:suser:cmd:::/usr/sbin/ff:euid=0
File System Management:solaris:cmd:::/usr/sbin/mount:privs=sys_mount
VDCFGraph Module:solaris:cmd:::/opt/jomasoft/vdcf/mods/hwmonitor/hwmon_show:priv
s=zone
The Profile Attributes Database (/etc/security/prof_attr)
<profileName>:<res1>:<res2>:<desc>:<attr>
VDCFGraph Module:::Allows Execution of list and show Commandos:
The User Attributes Database (/etc/user_attr)
<user>:<qualifier>:<res1>:<res2>:<attr>
jedward::::type=normal;roles=operator
operator::::profiles=Operator;type=role
webservd::::type=normal;profiles=VDCF Logger,VDCF install Module,VDCFGraph Modul
e
Authorizations and Privileges are assigned to a Rights Profile
A Rights Profile can include other Rights Profiles
A Rights Profile is assigned to a role or User
A Role is assigned to a User
Which command should you execute to assign access to the role printmgr to the ex
isting user user1?
- usermod -R printmgr user1
You wish to assign the Printer Management rights profile to the user bill?
- Run the command usermod -P "Printer Management" bill.
role created su role error unknown id
-> refresh nscd do update the cache
Which two are databases which are cached by the Name Service Cache Daemon (nscd)
?
- The group database is cached by the Name Service Cache Daemon (nscd)
- The ipnodes database is cached by the Name Service Cache Daemon (nscd)
allow a script write to /var/adm/messages
A. Add the entry logger -p local0.info "LOG FILES CLEARED DOWN" to the shell s
cript.
C. Add the entry local0.info /var/adm/messages to the file /etc/syslog.conf.
F. Run the command svcadm refresh system/system-log
Valid Syslog Facilities:
The facility field can contain only 16 codes:
kern Messages generated by the kernel.
user Messages generated by user processes.
mail The mail system.
daemon System daemons, such as the in.ftpd and the telnetd daemons.
auth The authorization system, including the login and su commands.
syslog Messages generated internally by the syslogd daemon.

lpr
The line printer spooling system, such as the lpr and lpc commands.
news Files reserved for the USENET network news system.
uucp (obsolete) The UNIX-to-UNIX copy (UUCP) system does not use the syslog fu
nction.
cron The cron and at facilities, including crontab, at, and cron.
local0-7 Eight user-defined codes.
the level selector specifies the severity or importance of the message.
Each level includes all the levels above (of a higher severity).
To remember the sequence for the certification exam you can use an appropriately
constructed phase like "Every alerted cardriver escapes warning notice"
emerg 0 Panic conditions that are normally broadcast to all users
alert 1 Conditions that should be corrected immediately, such as a corrupted s
ystem database. Only sysadmin of a particular server needs to be informed by mai
l or paged.
crit
2 Warnings about critical conditions, such as hard device errors.
err
3 Errors other than hard device errors
warning 4 Warning messages, that generally does not interfere with normal operat
ion.
notice 5 Non-error conditions that might require special handling
info
6 Purely informational messages (usually does not require any handling)
debug 7 Messages that are normally used only when debugging a program
none
8 Messages are not sent from the indicated facility to the selected file
Verify /etc/syslog.conf
/usr/ccs/bin/m4 -D LOGHOST /etc/syslog.conf
name service must be hierarchical and required to be Internet wide
-NIS+ will provide a hierarchical solution but is not Internet wide.
-LDAP will provide a hierarchical solution but is not yet Internet wide.
+DNS will provide a hierarchical solution and is Internet wide.
characteristics of the NIS Naming Service
- Does not use a domain hierarchy
- Information is stored in Maps
characteristics of the NIS+ Naming Service
- Root and non-root Master Servers
characteristics of the LDAP Naming Service
- Uses a Directory Information Tree
- Relative Distinguised Names
three are steps required when configuring a NIS slave server
- It is necessary to configure the NIS domain name on all hosts in the NIS domai
n
- A NIS slave is configured as a NIS client first to enable it to bind to the ma
ster server.
It is then reconfigured as a NIS slave
- It is necessary to start the NIS server processes with the svcadm command
files created when you configure an LDAP client
- /var/ldap/ldap_client_cred
- /var/ldap/ldap_client_file
Solaris10 install DNS Setup
- You can specify up to six search domains

Which daemon is responsible for maintaining and updating the client profile info
rmation in an LDAP configuration?
- ldap_cachemgr
Which two are daemons which are running on this NIS master server
The rpc.yppasswdd daemon runs on a Solaris 10 NIS master server.
The ypbind daemon runs on a Solaris 10 NIS master server.
The /var/yp/securenets file defines the networks or hosts which are allowed acce
ss to information provided by the Network Information Service
NIS maps need to be updated
You must be in the /var/yp directory when the /usr/ccs/bin/make command is run.
This is the location of the timestamp files that are referenced by the /usr/ccs/
bin/make program
The ypwhich -m command displays the master server for each NIS map
you wish to ensure that the root user's password account information is not inco
rporated in the NIS passwd maps
Copying these files to the location specified by the the PWDIR value (/var/yp/Ma
kefile) allows the NIS master to source user account information from somewhere
other than the /etc directory. The entries that are not required in the NIS map
can be deleted from the files in this location.
Zones
The zoneadmd daemon is primarily responsible for managing the zone's virtual pla
tform
Every zone has an associated kernel process called zsched. The zsched process ke
eps track of per-zone kernel threads
zoneadm -z apache-zone ready -> ask for:
You will be asked to provide the Timezone value.
Name service information will be requested.
You will be asked to provide the root password.
zonecfg -z webzone delete -> failed
-> The zone must be uninstalled before being deleted.
Jumpstart
Which three are sources from which JumpStart clients can obtain identification i
nformation?
The JumpStart client can obtain its IP address from the /etc/inet/hosts file on
the boot server.
The /export/config/sysidcfg file contains configuration information for the clie
nt.
A name service can supply identification information required by a JumpStart cli
ent.
The first entry found for any value in the sysidcfg file is used by the client.
services which are found in a Jumpstart configuration
- Configuration
- Identification
- Boot
- Installation
Which two are functions of the check script?
- It looks for errors in client profile files.

- It generates the rules.ok file read by clients.

rules file:
hostname sales1 && memsize 512MB-1024MB - sales_config additions
|
|
|
|
|
|
|
|
|
-------------- Finish
script
|
|
|
--------------- Profile
|
|
-------------- Begin script
|
----------- Rule Value (specific system attribute)
----- Rule keyword (general system attributes)
DHCP
Which are vendor options which you need to add to the macro?
- The SrootNM option is used to supply the name of the boot server which provide
s the root file system to use when installing
- The SinstIP4 option is used to supply the IP address of the install server to
a client
- SrootPTH is used to supply the path to the root server path
- SrootIP4 is used to supply the IP address of the root server
Network
The /etc/inet/hosts file is a local database that associates the names of hosts
with their Internet Protocol version 4 (IPv4) addresses
The /etc/inet/ipnodes file is a local database that associates the names of node
s with their Internet Protocol (IP) addresses. IP addresses can be either an IPv
4 or an IPv6 address
The inetadm -l ftp command will only list the properties for the specified servi
ce instances as name=value pairs
The svcs -l command displays information about the state of services on which a
given service depends
The command rpcinfo -p will show you whether the NFS services are registered wit
h the rpcbind daemon
Which command enables TCP tracing for all services started by inetd?
- inetadm -M tcp_trace=TRUE
The rpcbind daemon associates program numbers with port numbers. rpcbind does no
t start any processes
The inetd daemon is a special process that runs on all systems and starts server
processes that do not start at boot time. inetd starts services that use well-k
nown port numbers and RPC-based services
Coreadm/Dumpadm
The command "coreadm -e global -g /var/dump" will enable global core file dumps
and they will be placed in /var/dump
The command "coreadm -d process" will disable per-process core file dumps.
root@S0013 # coreadm
global core file pattern:
global core file content:
init core file pattern:
init core file content:
global core dumps:
per-process core dumps:
global setid core dumps:
per-process setid core dumps:
global core dump logging:

default
core
default
disabled
enabled
disabled
disabled
disabled

root@S0013 # coreadm -g /var/core/core.%f.%p

root@S0013 # coreadm -G all
root@S0013 # coreadm -e log
root@S0013 # coreadm -e global
root@S0013 # mkdir /var/core/
root@S0013 # coreadm
global core file pattern: /var/core/core.%f.%p
global core file content: all
init core file pattern: core
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: enabled
root@S0013 # kill -SIGSEGV 1446
CONSOLE: Dec 15 11:12:21 S0013 genunix: NOTICE: core_log: sshd[1446] core dump
ed: /var/core/core.sshd.1446
root@S0013 # ls -l /var/core/
-rw------- 1 root
root
5320962 Dec 15 11:12 core.sshd.1446
The dumpadm -m 10% command sets a minimum amount of free space to maintain in th
e filesystem where the crash dump files are written to
dumpadm -d /dev/dsk/c0t1d0s1
The -d option to the dumpadm command is used to specify an alternative dump devi
ce. A dedicated dump device has to be a slice that is not being used by any othe
r resource. It can not be swap space.
Mountoptions
soft The soft mount option will allow failed requests to timeout
bg
The bg option to the mount command ensures that if the first mount attempt
fails the system will retry in the background. This allow the rest of the boot
process to continue
fg
The fg option to the mount command ensures that if the first mount attempt
fails the system will retry in the foreground. This will prevent the rest of th
e boot process from being able to continue
hard The hard mount option will cause the client to continue to retry requests
until the server responds. This could cause the client system to hang if the rem
ote filesystem is unavailable
Which mechanism do the TCP and UDP transport protocols use to identify which app
lication a network service request is destined for?
-The "program number" is used by RPC-based services.
+TCP and UDP use network "port numbers" to distinguish between different network
services
Which phrase describes the pages that contain private data or stack information
of a running process that do not exist in any file system on disk?
Anonymous Memory Pages contain the private data or stack information of a runnin
g process.
Live Upgrade:
root@S0002 # luupgrade
ERROR: At least one option from <-c, -C, -f, -i, -I, -p, -P, -t, -T, -u> must be
specified.
USAGE: luupgrade [ -u | -f | -p | -r | -P | -R | -i | -c ] [ -l error_log ] [ -o

outfile ] [ -N ] [ -X ] [ additional optional and required parameters ]:

OS Upgrade:
luupgrade -u -n BE_name [ -l error_log ] [-k autoregfile] [ -o
outfile ] [ -N ] [ -X ] [ -D ] -s source_os_image_path [ -j profile_path ]
Flash Upgrade: luupgrade -f -n BE_name [ -l error_log ] [-k autoregfile] [ -o
outfile ] [ -N ] [ -X ] [ -D ] -s source_os_image_path ( -a archives | -j profi
le_path | -J profile )
Add Packages:
luupgrade -p -n BE_name [ -l error_log ] [ -o outfile ] [ -N ]
[ -X ] ( ( -s|-d ) source_packages_path ) [ -a pkg_admin_file ] [ -O pkgadd_opti
ons ] [ pkginst [ pkginst... ] ]
Remove Packages: luupgrade -P -n BE_name [ -l error_log ] [ -o outfile ] [ -N ]
[ -X ] [ -O pkgadd_options ] pkginst [ pkginst... ]
Check Packages: luupgrade -C -n BE_name [ -l error_log ] [ -o outfile ] [ -N ]
[ -X ] [ -O pkgchk_options ] [ pkginst [ pkginst... ] ]
Package Info:
luupgrade -I -n BE_name [ -l error_log ] [ -o outfile ] [ -N ]
[ -X ] [ -O pkginfo_options ] [ pkginst [ pkginst... ] ]
Add Patches:
luupgrade -t -n BE_name [ -l error_log ] [ -o outfile ] [ -N ]
[ -X ] -s source_patches_path [ -O patchadd_options ] [ patchname [ patchname...
] ]
Remove Patches: luupgrade -T -n BE_name [ -l error_log ] [ -o outfile ] [ -N ]
[ -X ] [ -O patchrm_options ] patchname [ patchname... ]
Run Installer: luupgrade -i -n BE_name [ -l error_log ] [ -o outfile ] [ -N ]
[ -X ] -s install_image_path [ -O installer_options ]
Check Media:
luupgrade -c [ -l error_log ] [ -o outfile ] [ -X ] -s image_pa
th
INFORMATION: Any BE_name or options should be enclosed in single quotes.